There is a staggering growth of endpoint mobile devices in enterprises. With this influx, Information Technology (IT) administrators can no longer ignore these mobile devices as simply outside their scope of responsibility. Correspondingly, there has been an unprecedented growth in the cloud services that are made available by an enterprise to its employees. Traditionally, enterprises have deployed one secure application for each service for each platform, but this has eventually failed to scale with the growth of mobility in IT. There are myriad numbers of cloud-based services that are being accessed from unmanaged endpoint mobile devices across diverse operating systems, uncontrolled network topologies and vaguely understood mobile geographies. Typically, enterprises have deployed applications for a specific service, applications to access corporate resources that themselves vary for different network conditions, and applications to secure the endpoints itself.
Conventionally, for each application, the enterprise user must perform numerous steps. For example, the end user must contact an enterprise administrator (i.e., in person or web portal) to configure the mobile device to use the end-point application for a corresponding service. The end user must enroll in each application to access a service, and the enterprise administrator has to undertake to the complex tasks of tracking, deploying and managing individual apps on each endpoint mobile device. Accordingly, it would be advantageous to eliminate the multiple applications for various enterprise functions, to enable a user to connect to multiple cloud services.
Normally, to securely access multiple network resources concurrently, the end user has to connect to multiple applications, such as a corporate VPN for accessing enterprise's internal resources (intranet) and a private VPN or a network filtering application for accessing internet resources. This is not only perplexing for the end user but also creates several compatibility issues between different applications which compete for network access at different layers of networking. For instance, the service of a Virtual Private Network (VPN) application to securely connect to an enterprise network is affected by a web security firewall application running on the device which monitors and forbids any network interface changes. The situation is further exacerbated by the fact that the user needs to reconfigure each application depending upon the changes in network conditions such as moving from one subnet to another and that there is no indication to the user to perform such a change. All such service transitions must then be performed manually by the user with every network change. This is analogous to the situation where a user must statically configure Internet Protocol (IP) address configuration on a network interface for every network change. This problem was overcome by Dynamic Host Configuration Protocol (DHCP) that discovers configuration for the interface such as IP Address, Subnet Mask, Default Gateways and Domain Name System (DNS) servers. With the advent of mobility and explosion in the number of cloud services and mobile applications, there is a similar need for unified service discovery and secure availability.
Additionally, IT administrators need to restrict mobile devices with high risk from network access or sensitive corporate resources to prevent any data breaches or network attack vulnerabilities. With visibility into the actual risk of a mobile device, one approach is to restrict access to these sensitive resources from a mobile device. However, it is advantageous and useful to allow network access to mobile devices to improve productivity.
Conventional Network Access Control (NAC) systems are predominantly static and severely limited in scope and implementation. Most NACs are on premise and rely on pre-enrollment static verifications on the requesting mobile device such as anti-virus status, system update level, and configurations. If the mobile device conforms to the business policy and inventory management systems, the access to the network is granted or denied. This mode of operation blatantly fails for mobile devices which allow users to access network resources from a variety of mobile applications and network carriers across different geographies where a traditional IT admin has no control. For example, a mobile device may bring malware from any outside network into enterprise network and contaminate all other network devices.
Further, the systems that NACs employ to profile risk often operate in autonomous isolation and have only limited user/device context that notably masks the appraisal of risk. For instance, a malicious user having a record of accessing malware applications with a “known” on-premise device may be allowed access to sensitive corporate resources without any advanced security challenge whereas another benign user with an “unknown” mobile device may be disallowed access to a trivial resource or be challenged with some strongest multi-factor authentication. Also, the IT administrator has to bear the responsibility of diligently updating NAC servers as new threats emerge to accurately measure the threat profile of the requesting device.